A virtual private network (VPN) is an overlay network that provides secure communication channels through an underlying (usually public) network infrastructure (such as the Internet), as a relatively inexpensive alternative to private secure lines. Communications among the members of a VPN are typically automatically encrypted using secure keys known to the members of the group, as a means of achieving the desired privacy for the members.
The management of encrypted group communications entails burdens such as the establishment, maintenance, and distribution of encryption keys. For example, in some systems, all members of a particular VPN may utilize a single global encryption key for private communication with other group members. In such systems, removing a member from the VPN typically requires the group manager to revoke the old key and to distribute a new group key to all members, so that the removed member can no longer decrypt private group communications. In addition, a VPN application may require individual members or various combinations of members to use different keys for particular interactions. In such an application there is an even greater key management burden. Generally, as the number of members increases, and as membership changes dynamically with greater frequency, the complexity of the management burden increases. Thus, very large and/or dynamic VPNs can cause overloading of the group manager, that represents a potential single point-of-failure, and consequently traditional VPNs may be considered relatively non-scalable. As large, distributed enterprises and organizations in our society rely increasingly on secure and private electronic communication and interaction, the need for highly scalable VPN architecture grows ever more pronounced.
FIG. 1 is a schematic of a prior art system where VPN 110 is managed by master node 120. Prior art system VPN 110 is a typical simple-VPN. Communications among member nodes 130 a-c in VPN 110 are automatically encrypted using keys known to the appropriate group members, such that even though the communications are typically transmitted via the ordinary underlying public network infrastructure (e.g., the Internet), a “virtual” private channel may be effectively provided for group communications.
In a prior art system such as shown in FIG. 1, master node 120 is responsible for managing VPN 110 group membership by performing the functions associated with entry or exit to or from a group, such as authentication, as well as distribution and maintenance of the secure encryption keys for private communication. Master node 120 may simply be a service-providing node, or may be a member of the group who also serves as a group leader; see, e.g., the Enclaves™ system created by the assignee of the present invention and described in L. Gong, “Enclaves: Enabling Secure Collaboration Over the Internet,” published in Proceedings of the 6th USENIX Security Symposium, pp. 149-159, San Jose, CA (July 1996). In some typical VPN systems, the master node makes sure that all member nodes have up-to-date knowledge of the group encryption key and the identity of all current VPN group members, so that client communication software and/or hardware for each member node 130 can automatically encrypt communications and interactions addressed to other group members using appropriate encryption keys. Thus, if a group member leaves or is removed from the VPN group, master node 120 must notify all active group members of the membership change; must revoke the old group encryption key and generate a new one; and must provide the new key to all current members. Similarly, if a new node joins the group as a member, master node 120 usually notifies all active group members of the membership change. As noted previously in the “Background” section, this imposes a management burden on master node 120, resulting in scalability problems and limitations for large, dynamic, and other VPNs.